VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Published byModified over 4 years ago
Presentation on theme: "VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui."— Presentation transcript:
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui
Virtual Private Network (VPN) a private network constructed within a public network infrastructure, such as the global Internet two categories of VPNs A remote access VPN enables remotely located employees to communicate with a central location. Site-to-site VPN interconnects two private networks via a public network such as the Internet
Protocols used by VPN Point-to-Point-Tunneling Protocol (PPTP) simple VPN technology based on point-to-point protocol supports multiple encapsulation, authentication, and encryption. Layer 2 Tunneling Protocol (L2TP) combination of PPTP and Layer 2 Forwarding (L2F) Two types of L2TP L2TP Access Concentrator (LAC) L2TP Network Server (LNS) Internet Protocol Security (IPSec) framework for protecting the confidentiality and integrity of data in transit A common use of IPSec is the construction of a VPN
IPSec Protocols IPSec defines new set of headers to be added to IP datagrams ESP - Confidentiality, data integrity, and data source authentication. (frc2406) AH - Data integrity, source authentication (frc2402) IP HeaderESP HeaderProtected Data ESP Trailer IP HeaderAH HeaderProtected Data
IPSec Modes Transport Mode Protect upper-layer protocol, endpints exposed IPSec header insert between IP header and upper layer protocol header Tunnel Mode Entire IP Packet is protected, become payload of new packet IPSec header is inserted between the outer and inner IP header. Used by gateway for VPN, perform encryption on behalf of host IPSec SA Relationship between entities on how to communicate securely. Unidirectional, two for each pair, one from A to B, and B to A Identified by a SPI, destination addr, security protocol identifier
IPSec Phases SPD Security Policy Database maintains IPSec Policy Each entry defines the traffic to be protected, how to protect Three actions on traffic match: discard, bypass and protect IP traffic mapped to IPSec policy by selector IKE Establish security parameters, authentication (SAs) between IPSec peers IKE SAs defines the way in which two peers communicate, which algorithm to use to encrypt IKE traffic, how to authenticate the remote peers. SPD instruct IKE what to establish, IKE establish IPSec SAs based on its own policy settings Phase 1 communication Identify the peers. Create IKE SAs by authentication and key exchange One side offers a set of algorithm, other side accept or reject. Derive key material to use for IPSec with AH, ESP or both Phase 2 communication IPSec SAs negotiations are under protection of IKE SAs created in phase 1 IPSec shared key derived by using Diffie-Hellman or refresh shared secret.
VPN Solutions Access VPN offers remote access to a company’s Intranet or Extranet. Example: employees who are on business trip or in home office Intranet VPN offers the Intranet connection. Example: Branch offices Extranet VPN offers the Extranet connection. Example: Business partners, customers
VPN Solutions – Benefits Access VPN Economical: Internet access Vs. long distance dialup Secure Intranet VPN Economical: ISP Vs. dedicated connection Flexible: topological design, new office Reliable: Redundant ISP Secure Extranet VPN Same as Intranet VPN Management, Authentication and authorization